Over the last decade, malicious software (malware) has become a pervasive problem for Internet users. In some situations, malware is an exploit, in the form of a program or other object, which is embedded within downloadable content and designed to adversely influence or attack normal operations of a computer. Examples of different types of exploits may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device (e.g. computer, tablet, smartphone, server, router, wearable technology, or other types of electronics with data processing and network capability) without permission by the user or an administrator. In some situations, malware is obfuscated to hide the purpose of the malware, while in other situations, non-malicious software is obfuscated. For instance, software may be obfuscated for non-malicious purposes including reducing the size through compression or protecting against unauthorized access through encryption.
Obfuscation of malicious objects may increase false negatives when a malware detection system analyzes the objects. For instance, exploits that are located in an obfuscated object may be hidden from detection by the malware detection system. As an illustrative example, an exploit may be placed within an executable object whose contents have been obfuscated, and carried into an electronic device undetected by conventional malware detection software, such as antivirus programs (e.g. an exploit inserted into an object's JavaScript and the contents obfuscated to hide malicious code patterns).
Known malware detection systems employing anti-virus scanning approaches are adequate for detecting malware in un-obfuscated content but often fail to detect malware in obfuscated content. This results in a high level of false negatives. Other known malware detection systems detect malicious objects in either obfuscated or not obfuscated content by executing the content in runtime environments often established by virtualization technology and isolated from production environments for security purposes, an approach which often avoids high levels of false negatives. Unfortunately, such systems typically require substantial computing resources to establish run-time (virtual) environments required to safely process the content for an adequate period of time to observe malicious behavior. Hence, it would be desirable to provide a malware analysis scheme capable of efficiently detecting malware in obfuscated content, while avoiding high levels of false positives and high computing resource demands.